Cybersecurity challenges of IoMT and mitigation – Technologist

Hospitals, medical facilities, and research laboratories are heavily dependent on connected devices and the Internet of Medical Things (IoMT), where the desire and need for data acquisition have necessitated such connectivity. The patient journey in Asia Pacific is accelerated by the increasing adoption of IoMT and other smart assets.

According to Data Bridge Market Research, the IoMT market in Asia Pacific is expected to grow with a CAGR of 24.1% from 2021 to 2028. Despite the growing IoMT market and rising adoption of advanced technologies, the healthcare industry still lags behind other advanced sectors such as info-communications on cybersecurity.

The cybersecurity risks patients and operations can be exposed to are real and pervasive. Additionally, the accreditation and compliance to standards for connected medical assets, including IoMT, are also straggling.  With the growing number of unmanaged medical and non-medical devices and sensors, the risks to hospitals’ cybersecurity go beyond IoMT itself.

According to the Identity Theft Resource Center (ITRC), during the first half of 2022, the healthcare sector has been the number one target of data breaches.

James Millington, senior director of product marketing at Armis, says concerns are not only with confidential medical data but also with patient care disruptions that might have life-threatening consequences. After all, the threat landscape has evolved with the rise of ransomware as a lucrative business model for criminals.

“The complexity of the healthcare tech stack, due to a diverse number of devices and types of systems, makes it harder to track assets and manage their vulnerabilities.”

James Millington

“For example, hospitals need to deal with a great number of medical device vendors, each one with its own, little-known proprietary operating system. Besides, many of those devices are mobile — think of infusion pumps being moved from one room to another, which can lead to misplacement or loss,” he added.

Does the coexistence of OT, IT, IoT, and IoMT expand the attack surface?

The healthcare device ecosystem is highly connected – beyond smart medical devices that are touching the patient or directly providing care. The growing number of devices connected to the internet – over 55 billion by 2025, as per IDC – leads to an increased attack surface, too.

Printers, self-check-in tablets, surveillance systems, smart lighting systems, and temperature control for vaccine storage are just a few examples of enterprise IT, Internet of Things (IoT), and operational technology (OT) in medical facilities. Hacking a smart TV in a waiting room might open the door to threats that can move laterally in often poorly segmented hospital networks and cause disruptions to patient care.

Why is it a concern that medical devices do not accommodate agents?

Since medical and clinical devices are regulated and built intentionally as walled hardware to achieve a specific outcome (for example, administering a medication), they usually don’t accommodate external software. As a result, they cannot be secured through traditional endpoint agents, nor easily updated or patched.

Effective patch management is a significant concern given that cybercrime and nation-state actors have focused on discovering vulnerabilities or unpatched systems as a main method of attack, according to the 2021 Microsoft Digital Defense Report.

Will the use of legacy technology compromise cybersecurity?

Medical devices generally have a higher lifecycle than consumer technology. Due to concerns over patching or restrictions due to FDA certifications, the operating systems and software running these devices may go untouched and unpatched for fear of rendering the device inoperable and impacting patient care.

Since medical equipment is expensive to replace, devices may even be operating outside the supported lifetime of the software they are running. An MRI machine, for example, might cost more than $400,000. Investments in hospital technology involve planning, training, and government subsidies.

Are vulnerability scans disrupting healthcare?

Medical devices have different sensitivities. You don’t know how a specific operating system (OS) will respond to the protocols of a vulnerability scanner. When the communication deviates from the expected, the device might crash.

If you are doing a scan through a workstation, the end user can likely tolerate the disruption, but a medical device malfunction while touching a patient can negatively affect care (for example, if the device stops working in the middle of surgery).

Network segmentation is recognised as a standard security strategy. How is the inconsistency in network segmentation affecting healthcare?

A typical hospital network is flat and divided between biomedical and corporate IT security teams, creating silos. IT is concerned with cybersecurity, while biomedical teams focus on clinical usage. Traditionally, VLAN keeps both sides separated, but it’s not designed for security.

Exposure to the IT side of the house increases risks. Many threats start on the IT side, such as the case of WannaCry malware, which spread through computers operating Microsoft Windows. As per Armis research, 40% of healthcare organisations suffered from the WannaCry attack.

How to stay on top of IoMT vulnerabilities?

Healthcare delivery organisations often lack the visibility to expand their vulnerability management programs to medical devices. Asset inventory is often a manual effort where healthcare professionals do a site survey, literally walking through every single room to see what they have and writing it down in an Excel sheet.

Improved Internet of Medical Things security requires a holistic, automated inventory of every digital asset (IT, OT, IoT, and IoMT), regardless of who purchased them (IT or biomedical teams).

To support today’s healthcare innovations, hospitals need a comprehensive cybersecurity and asset management solution that can monitor all devices, including those that cannot accommodate security agents.